fix: harden execFileNoThrow for CodeQL (#338)

2026-04-04 19:09:54 +05:30
parent 80a2f1414c
commit 4c3118e071
4 changed files with 239 additions and 77 deletions
--- a/src/utils/execFileNoThrow.test.ts
+++ b/src/utils/execFileNoThrow.test.ts
@@ -1,4 +1,7 @@
 import { expect, test } from 'bun:test'
+import { mkdtempSync, writeFileSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
 import { execFileNoThrowWithCwd } from './execFileNoThrow.js'

 test('execFileNoThrowWithCwd rejects shell-like executable names', async () => {
@@ -18,8 +21,37 @@ test('execFileNoThrowWithCwd rejects cwd values with control characters', async
 })

 test('execFileNoThrowWithCwd rejects arguments with control characters', async () => {
-  const result = await execFileNoThrowWithCwd(process.execPath, ['--version\nmalicious'])
+  const result = await execFileNoThrowWithCwd(process.execPath, [
+    '--version\nmalicious',
+  ])

  expect(result.code).toBe(1)
  expect(result.error).toContain('Unsafe argument')
 })
+
+test('execFileNoThrowWithCwd rejects environment entries with control characters', async () => {
+  const result = await execFileNoThrowWithCwd(process.execPath, ['--version'], {
+    env: {
+      ...process.env,
+      BAD_ENV: 'line1\nline2',
+    },
+  })
+
+  expect(result.code).toBe(1)
+  expect(result.error).toContain('Unsafe environment')
+})
+
+test('execFileNoThrowWithCwd preserves Windows .cmd compatibility', async () => {
+  if (process.platform !== 'win32') {
+    return
+  }
+
+  const dir = mkdtempSync(join(tmpdir(), 'openclaude-execfile-'))
+  const file = join(dir, 'hello.cmd')
+  writeFileSync(file, '@echo off\r\necho hello\r\n')
+
+  const result = await execFileNoThrowWithCwd(file, [])
+
+  expect(result.code).toBe(0)
+  expect(result.stdout).toContain('hello')
+})